Thanks for responding so quickly. Fortunately I'm running
18.104.22.168-26, so I should be able to have the memberOf plugin
automatically add the "inetuser" to my entries if needed.
I took a look at the document you mentioned (thanks!), and I'm still a
bit confused (apologies for being thick).
I'm in the Advanced settings of the MemberOf plugin, and there isn't
an option to add the attribute "memberofAutoAddOC" and set
the default value to inetUser.
An ldapsearch still fails to show any entries with cn=MemberOf
Are you doing the search as Directory Manager?
ldapsearch -D "cn=directory manager" -W -xLLL -b "cn=config"
I'm not 100% sure your build of 1.3.4 has this fix - that's a pretty
early version - I'm looking into this now, and I will get back to you
once I have this info.
I'm sure I'm missing the obvious. Any suggestions would be appreciated.
On 2/17/16 12:58 PM, Mark Reynolds wrote:
> The memberOf plugin is trying to add the "memberOf" attribute to the
> entry, but the entry is missing an objectclass that allows
> "memberOf". Typically you need to add "objectclass: inetuser"
> all your entries for memberOf Plugin to work as you'd expect.
> If you are using "389-ds-base-1.3.4" or later, the memberOf plugin
> can automatically add "inetuser" to the entries for you(if it is
> On 02/17/2016 01:37 PM, houser(a)nso.edu wrote:
>> I'm new to 389-ds and last week downloaded and installed the software.
>> I have a running instance of the server, and I've added TLS/SSL.
>> I've configured a CentOS 7 client to be able to query
>> the server using TLS/SSL, and all appears working.
>> I've created users and groups on the 389-ds server successfully.
>> For each user and group, I've enabled posix attributes and my client
>> can see the unix users and groups using the "getent password" or
>> "getent group" commands.
>> Now, here's where I'm getting tripped up..........
>> I need to limit which users have access to which systems. I've been
>> trying to do this via memberOf group limitations.
>> I found the following online resource
>> which is close enough to CentOS that the initial commands worked.
>> I enabled the MemberOf plugin and changed the attributes per the
>> link, and restarted the system.
>> I created a test group (that I didn't enable a posix GID) and tried
>> to add a single user via:
>> Right click on group -- > click Properties --> then Members -->
>> click Add --> Search for user --> click Add.
>> When I try to go this route (which worked before enabling the
>> memberOf plugin) it worked. Now it seems I get the error:
>> "Cannot save to directory server.
>> netscape.ldap.LDAPException: error resiult(65): Object class violation"
>> And the messages file throws the error
>> "Entry "uid=test,ou=People,dc=int,dc=com" -- attribute
>> not allowed
>> [17/Feb/2016:11:22:58 -0700] memberof-plugin -
>> memberof_postop_modify: failed to add dn
>> (cn=testgroup,ou=Groups,dc=int,dc=com) to target. Error (65)"
>> So it seems my server isn't quite using the memberOf plugin
>> properly, but I'm not sure what else to enable. I'll have to solve
>> this issue before
>> I even try to filter login access via groups on my client system.
>> I should mention that if I go under the advanced tab for one of the
>> groups I created, I can add the the attribute "uniquemember", but
>> I'm not sure what I
>> should set the "value" to be.
>> I've tried creating new users to see if I could set their
>> "uniquemember" attributes, but no luck. It seems that I don't have
>> the ability to set this attribute
>> on individual users, only groups.
>> This might not be the right road to head down when trying to
>> restrict access to servers via groups, so I'm open to any suggestions.
>> Any suggestions would be appreciated.
>> 389 users mailing list
> 389 users mailing list
389 users mailing list